Is there a common method to test a $_GET variable to be plain text and not a url or file. I want to improve the security of passing variables to a page, so that someone can't introduce a url into the string.

I had a page where I would provide a file name for a pictures, and then four lines of comments. It occurred to me that that could be a security issue.

I made a test to insure that the picture file exists on the current server (Thanks to NogDog ), but am kind of stumped on the string data.

http://uk.php.net/manual/en/function.preg-match.php

this will allow spaces and a-z (caps or lowercase)

if (preg_match("/^[a-zA-Z\ ]+$/u", $_GET['yourvar']))
{
echo 'this is not plain text';
}

Ah! Exactly what I was looking for. I just added 0-9 to it to allow numbers too.

Those preg_match things are powerful, but I don't really get the nomenclature. I will have to study those some.

Thanks